Design of telemetry update for reaction wheel unit

Citation for published version (APA):

Document status and date:
Published: 01/01/2011

Document Version:
Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher’s website.
• The final author version and the galley proof are versions of the publication after peer review.
• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
• You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:
www.tue.nl/taverne

Take down policy
If you believe that this document breaches copyright please contact us at:
openaccess@tue.nl
providing details and we will investigate your claim.
Executive summary

Bradford Engineering is currently one of the top suppliers of reaction wheels in Europe. To be able to hold that position they need to improve the reaction wheels to meet more stringent requirements for future missions when it comes to stability of the wheel’s speed and communication capabilities. A part of the updates needed in the reaction wheel to meet these challenges is a re-definition of the Field Programmable Gate Array [FPGA] capabilities in their current Wheel Drive Electronics [WDE] module. My contribution in this one year project consisted of work on documentation for current running missions and to establish the baseline for the update needed in the code running in the FPGA.

The work with documentation consisted of an update on documents that needed to be provided to the costumer, Astrium: Radiation Analysis, Reliability Prediction, Failure mode, effects, and criticality analysis [FMECA] and test procedures for the Reaction Wheel Unit [RWU] that is being used for qualifying purposes. This work had an additional value of providing me the necessary background about the product so that I could later work on the update of the FPGA.

It was my task in the FPGA re design to evaluate the necessary changes that would be needed in the hardware so that an additional communication protocol is added, leaving enough capacity in the selected hardware to include an autonomous controller for wheel speed in the future. After this tradeoff on the hardware that needed to match the new requirements, I selected a new protocol interface so that it can be offered to the clients. This was later implemented in Very High Speed Integrated Circuit [VHDL].

I did an additional study on the requirements for code development and I provided, together with this study, documentation explaining the steps needed to develop the code according to these requirements, so that once the full set of requirements is defined, the company could continue with the development, using the existing work.

The overall result of a year of work at Bradford is a set of documents that I updated to meet the requirements of the costumer and a design on the new telemetry that can be used as the baseline for future versions of the RWU. The full design cycle is covered in the telemetry update, from definition of requirements to the verification using evaluation software. The whole process of VHDL design can be traced through the documents of the telemetry update that were provided.
TABLE OF CONTENTS

1. INTRODUCTION 5
   1.1 Purpose of the Project 5
   1.2 Project Organization 5
      1.2.1 Documentation Phase 6
      1.2.2 Telemetry Update 6
         1.2.2.1 Trade-off phase 6
         1.2.2.2 Development Phase 7

2. DOCUMENTATION PHASE 8
   2.1 Radiation Analysis 8
   2.2 Reliability 9
   2.3 Worst Case Analysis 10
   2.4 FMECA 10

3. TELEMETRY UPDATE 12
   3.1 Trade-off Analysis 12
      3.1.1 Selection of Device 12
      3.1.2 Selection of the protocol to implement in update 13
      3.1.3 Study of requirements 14
   3.2 Development Phase 14
      3.2.1 Definition Phase 14
      3.2.2 Architecture Phase 15
      3.2.3 Detailed Design 16
      3.2.4 Verification 17
      3.2.5 Hardware Evaluation 17
      3.2.6 Process description 19

4. RESULTS 20

5. RECOMMENDATIONS 21

6. CONCLUSION 21

7. REFERENCED DOCUMENTS 22

8. ANNEX LIST 22
LIST OF FIGURES

FIGURE 1: DEVELOPMENT TOPICS FOR REACTION WHEELS 5
FIGURE 2: PROJECT ORGANIZATION 6
FIGURE 3: LIST OF UPDATED DOCUMENTS 6
FIGURE 4: WDE RADIATION MODEL 8
FIGURE 5: EXAMPLE OF MIL-HDBK-217 FOR DIODES 9
FIGURE 6: EXTRACT FROM EXCEL TEMPLATE FOR RELIABILITY ANALYSIS 10
FIGURE 7: FMECA STRUCTURE 11
FIGURE 8: COMPARISON OF CURRENT SITUATION WITH DESIRED UPDATE 12
FIGURE 9: COMPARISON OF 3 AVAILABLE ACTEL FAMILIES 13
FIGURE 10: COMMUNICATION PROTOCOLS USED IN AOCS COMPONENTS 14
FIGURE 11: ORGANIZATION OF DEFINITION PHASE DOCUMENTATION 15
FIGURE 12: ARCHITECTURAL DESIGN OF TOP LEVEL DESIGN 16
FIGURE 13: CONTROL MODULE INTERNAL STRUCTURE 16
FIGURE 14: ICICLE BOARD WITH PROGRAMMING CHIP 17
FIGURE 15: HARDWARE EVALUATION VHDL STRUCTURE 18

LIST OF TABLES

NO TABLE OF FIGURES ENTRIES FOUND.
<table>
<thead>
<tr>
<th>Abbreviation</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>AOCS</td>
<td>Altitude and Orbit Control Systems</td>
</tr>
<tr>
<td>DCL</td>
<td>Declared Component list</td>
</tr>
<tr>
<td>DD</td>
<td>Displacement Damage</td>
</tr>
<tr>
<td>FMECA</td>
<td>Failure mode, effects, and criticality analysis</td>
</tr>
<tr>
<td>FPGA</td>
<td>Field Programmable Gate Array</td>
</tr>
<tr>
<td>IP</td>
<td>Intellectual Property</td>
</tr>
<tr>
<td>LED</td>
<td>Light Emitting Diode</td>
</tr>
<tr>
<td>OLED</td>
<td>Organic LED</td>
</tr>
<tr>
<td>RWA</td>
<td>Reaction Wheel Assembly</td>
</tr>
<tr>
<td>RWU</td>
<td>Reaction Wheel Unit</td>
</tr>
<tr>
<td>SEE</td>
<td>Single Event Effects</td>
</tr>
<tr>
<td>UART</td>
<td>Universal Asynchronous Receive/Transmit</td>
</tr>
<tr>
<td>WDE</td>
<td>Wheel Drive Electronics</td>
</tr>
<tr>
<td>TID</td>
<td>Total Ionizing Dose</td>
</tr>
<tr>
<td>TM/TC</td>
<td>Telemetry / Telecommand</td>
</tr>
<tr>
<td>VHDL</td>
<td>Very high speed Hardware Description Language</td>
</tr>
</tbody>
</table>
1. Introduction

1.1 Purpose of the Project

The need to have high definition in the images that are obtained in satellites increases the positioning stability requirements. For Altitude and Orbit Control Systems [AOCS] these means more advance control at reaction wheel level. Together with the addition of a controller, RWU also need to offer the clients a more modern communication interface. In addition, there is also a need to extend the power bus to be compatibles to a 100V power bus, that is, together with the 28V, the most common interface.

Of all of these topics, it was the purpose of this project to address the ones that were related with the FPGA that is present on the WDE, which needs to be updated.

The project can be divided into two main topics: Documentation and Telemetry Update. The documentation part served two purposes. It provides the necessary background on the RWU to be able to address the FPGA telemetry topic afterwards and it gives the company the input it needs from an Electrical engineer point of view on documentation that required approval from the customer.

1.2 Project Organization

To be able to address the update on the telemetry capabilities, knowledge on the current product is needed. In order to do so, the project was organized as described in Figure 2.
1.2.1 Documentation Phase

In the documentation phase, several documents were updated. The contribution to each one of these documents will be described in the coming sections. Together with the 4 major documents, additional work was done in test procedures.

1.2.2 Telemetry Update

1.2.2.1 Trade-off phase

The trade-off phase consisted on the selection of the replacement of the current FPGA to hardware that could be able to meet future design requirements, mainly, the addition of a control mechanism at hardware level.

The selection of which protocol should be implemented as an alternative to the MIL-BUS-1553 interface was also included in the trade-off. This selection was made based on market trends of
communication protocols used in AOCS interfaces. The trade-off ended with a description of what documents and what design steps were needed to be able to implement a VHDL implementation of the selected protocol.

1.2.2.2 Development Phase

Finally, the development phase consisted of the implementation of the VHDL code of the selected protocol and the base line of all the documents needed for the design. The development requirements need to have several steps in which the client reviews the design. Since the update on the RWU is planned for the coming years and the design requirements might change, the interest of the company is mainly on understand the process of development of VHDL code and to have a baseline of the documents needed; not to have a final validated code which needs no further changes.

The project ended with the testing of the developed code at hardware level by means of an evaluation board.
2. Documentation Phase

Each one of the documents produced is scrutinized by the client, which in this case is Astrium. A specialist on each one of the subjects to analyze revises the documents, makes comments, suggestions and asks for further clarification of issues if necessary. Once the documents are presented, a review board is formed where you are called to address the issues posed by the client. This first hand interaction was one of the main learning points during the whole project, besides the technical aspects.

2.1 Radiation Analysis

The purpose of the radiation analysis is to address the hardness of the EEE part when it comes to radiation effects. The radiation analysis takes a model of the RWU (Figure 4 shows a picture of the WDE module) and calculates, using the curves provided by the client, the radiation levels received by each component.

Once the radiation levels received by each component are known, it’s possible to evaluate the effects this may have and propose mitigating actions if needed. The effect on each component is determined by means of radiation testing on components lots.

A preliminary analysis was done by the company for the BepiColombo mission. An update of that analysis with the new radiation testing data was done, and to the analysis for the Sentinel 2/Earth Care missions was created based on the BepiColombo analysis.

Astrium paid special attention to the Displacement Damage [DD] radiation on optoelectronics and the SEE (Single Event Effects caused by solar flares) on active devices. A clarification of the DD analysis was done and further proof was given that no Single Event Effects [SEE] (specially one called single event latch up) affected the performance of the RWU permanently.
2.2 Reliability

The purpose of the reliability prediction is to estimate the number of Failures in Time [FITS] of the RWU. FITS is the total number of failures of the module in $10^9$ hours. The guideline for this calculation that Astrium requires is the MIL-HDBK-217. Figure 5 shows how the guideline for calculation works for diodes. As it can be seen, the analysis depends on the available information that comes from other related documents such as thermal analysis for temperatures and stress analysis for stress ratios.

![Figure 5: Example of MIL-HDBK-217 for Diodes](image)

To be able to calculate for all the components in an efficient and repeatable way, an excel template was created where the formulas for all the different types of components present in the design were set. With the new approach (previous calculations were not documented and only showed the final result) the calculations are traceable, and by changing universal parameters such as temperature, it is possible to automatically update the whole analysis efficiently.

With the current template, it is possible to address the impact of thermal changes in the reliability calculation. From the analysis, it is clear what the PCB’s temperature have a large impact on the reliability final FITS.
2.3 Worst Case Analysis

The purpose of the Worst Case Analysis is to prove that under the worst possible operating conditions for the system, every circuit will remain operational.

For this analysis, it is necessary to apply all the parametric drifts defined by ESCC standards in such a way that the conditions put the circuit under the most stress.

The input given resulted from comments received from Astrium requiring further clarification on the analysis. Also, some minor changes in the Declared Component list [DCL] led to re calculation on operating conditions from some of the circuits.

2.4 FMECA

Each possible failure mode of each component (electrical and mechanical) is defined and the effect on the overall performance is characterized and classified according to ECSS specifications.

There was a comment from the customer regarding the existing analysis stating that it did not fully comply with the ECSS requirements. The existing analysis covered the low level FMECA, the step where you determine the effects on each component and how it affects the system, but there was a lack of organization to see how the failures got reflected at Block level and equipment level.

A set of components, each with different specific failure modes can produce the same functional failure (i.e. a capacitor or a resistor failing in the power supply can both produce an under voltage). In addition, different functional failure at block level can produce the same failure at equipment level (i.e. either an under voltage in power supply or a failure in the reset circuit of the FPGA could produce the equipment to shut down). This distinction was added to be able to comply with the requirements expressed by the customer.

In addition, the customer wanted a clear list of which failures at equipment level could propagate to the higher hierarchy (i.e. mechanical vibration of wheel, spike of current consumption). This requirement was also clarified.
Figure 7: FMECA Structure
3. Telemetry Update

3.1 Tradeoff Analysis

3.1.1 Selection of Device

The telemetry Project started with a trade-off analysis to select the appropriate hardware. The current implementation has 40% occupation of gates. Replacements of the current Intellectual Property [IP] core (what controls the communication in the MIL-BUS-1553 standard) with an equivalent core for other protocol has no impact on the gate utilization. The addition of an autonomous controller for speed is what requires an increase of one order of magnitude in gate utilization.

![Figure 8: Comparison of current situation with desired update](image)

The RTSX-SU is a device with an important heritage in space industry, but of a technology that produces devices in the hundred thousand gates. More modern space FPGA’s range in the order of millions of gates.

Actel family is still the most suitable option because it guarantees code reusability of current modules. In Addition, the only non International Traffic in Arms Regulations [ITAR] alternative (which requires no import permission) is Atmel, and there space hardware is not mature enough when compared to Actel. The main characteristics of the three Actel families are described in Figure 9.
Given the high failure rate when programming that RTSX-SU had on previous missions, the ability to reprogram the device could be an important improvement in terms of time and cost. This can be achieved by using an RT ProASIC3 device.

The biggest disadvantage of this FPGA family is its low Total Ionizing dose [TID] tolerance and the lack of information regarding SEE immunity. The FPGA can withstand up to 15Krad of TID. This value is low and can bring radiation hardness assurance complications in future missions. This limited the selection to RTAX family, which is divided into S/SL and DSP.

There is one mayor advantage of RTAX-S/SL family over RTAX-DSP family: It has space heritage of 9 missions already. The manufacturer states that the architecture is the same for both, and that given this, the lack of heritage is not an issue. The truth is that the behaviour of the embedded multipliers present in DSP family when it comes to SEE has no heritage. This leaves RTAX-S/SL as the natural choice.

Since it is possible to use the already established RTAX-S/SL and still offer the same functionality, it is recommended the use of the RTAX2000S/SL as a replacement of RTSX-SU for future implementations.

### 3.1.2 Selection of the protocol to implement in update

An analysis on the market trends on AOCS interfaces using the input provided by the company was done using as input technical dossiers from ESA and the conclusions from an AOCS workgroup formed by companies from that market, with graphs such as the one shown in Figure 10.
My conclusion from this analysis is:

- Current interfaces are dominated by MIL-1553 and RS-422.
- It is expected that this dominance is maintained in the coming years.
- There is an increase in the use of SpaceWire, but it is intended for much higher speed applications.

Given this information, I conclude that the protocol that should be implemented is RS-422.

### 3.1.3 Study of requirements

The purpose of the study on requirements was to understand and document which documents were needed to be produced during the development to be able to meet the design standard ECSS-Q60 from ESA. A detail on this subject can be found in the Annex corresponding to the Trade off analysis.

### 3.2 Development Phase

#### 3.2.1 Definition Phase

The first document that needs to be produced following the ECSS-Q60 specification addresses the definition of the requirements at top level.

In this document I described how the hardware should perform, the interface with the exterior, how the development was planned and what decision were made to mitigate risks. The overall structure of the document is described in Figure 11.
Since part of the code came from the previous version (the part that deals with the Speed calculation, the interaction with the ADC converters and the over speed test), many aspects were already properly defined and documented.

The commands for the RS-422 interface were defined, the IP Core to be used was selected and an inhibition command of certain automatic functions was added as requested by Astrium.

3.2.2 Architecture Phase

The architecture design phase takes the top level requirements and divides the design into functional modules, as shown in Figure 12.

Since the ADC control module, the Wheel Speed module and the Over speed module come from the previous design, there was no need to define the I/O characteristics of these modules and their functionality. The same applies to the Core UART module from Actel that is was used as the interface of the RS-422 to the exterior.

The functionality and Input/Output [I/O] characteristics of the Control module were defined. This definitions lead to the requirements for testing of the verification plan at module level. Since this was the only module done from scratch, it was the only module that needed verification.
The purpose of the control unit is to control the interaction with the reaction wheel and the dataflow with the exterior, communication with the CoreUART module.

### 3.2.3 Detailed Design

The detail design goes one step further and defines the internal structure of the control module.

Rx and Tx modules control the interface with the CoreUART. Once a message is received the instructions decode module processes the message to check its validity and generates the signals that tell which message is received. This will affect the remaining sub modules that will act accordingly. The general structure can be seen in Figure 13.
The idea behind this document was to give the necessary information so that, if an update on the module is needed due to a change in specifications, it could be done by determining what sub module is affected, and applying the update at this level.

For each sub module, an I/O description resembling the architectural design is included, so that the functionality of each is unambiguous.

3.2.4 Verification

The purpose of the verification plan is to define the set of tests to be done to prove the functionality of the code.

The ECSS-Q60 defines the need to verify the code but gives no precisions on how to do so. Given this, the previous verification model from SEA (the developer of the VHDL code that is currently being used) is used as the baseline for this verification.

The verification was organized in two steps: module level and top level. First, a verification of the Control block was done which corresponding to the module level. A series of tests were defined, were the stimulus to the control module was set and the outputs were observed to check if they responded as expected. Secondly, a Top level verification was done, where the complete VHDL code is tested.

Given that in the future the verification should be performed for the final version, when the requirements of the client are fully set, only a preliminary verification was performed. The Verification described in the document should serve as the baseline for the tests to be performed.

After preliminary verification concluded, the VHDL code was deemed ready to perform the first hardware tests on an evaluation board.

3.2.5 Hardware Evaluation

To avoid the use of resources from the company’s e-lab, given that this test was low priority and that it is not part of the hardware validation that will be required in the future (for which the use of a prototype of the updated wheel is mandatory), a first hardware evaluation was done using an evaluation board with an available commercial FPGA from Actel. The evaluation board used is shown in Figure 14. The evaluation board includes a commercial FPGA that can be re programmed with the same code as the flight hardware, a USB interface that connects with the PC to control a RS-232 communication, an Organic Light Emitting Diode [OLED], some push buttons and additional LEDs.

![Figure 14: Icicle Board with Programming Chip](image-url)
To avoid the use of external hardware, some signals are generated internally, in an extended VHDL code that includes the running Top Level code for the RWU plus other code to interface with the OLED. The Evaluation configuration is as follows:

![Evaluation.vhd](#)

Figure 15: Hardware Evaluation VHDL structure

Figure 15 shows how I used the OLED to show the torque and the three available LEDs to show the polarity, OST and Heater status. The clock signal is driven by a 20 MHz oscillator in the board. Hot, cold and reset are push buttons. The input of the AD is fixed to ‘1’, meaning that the ADC signals are all fixed to 0xFFF. An internal clock divider is used to generate the square waves that serve as the input for Wheel Speed and OST input.

The interaction with the RS-422 is done via a serial-USB interface to a PC with a serial port monitor. RS-422 only describes the electrical performance of a differential serial protocol. Since the validation is of the code and not the electrical interface, being this one the easiest available interface. The serial port monitor allows the user to send strings or messages and monitor the result at a variable baud rate.

As an important conclusion of the testing, it was noted that the use of non standard baud rates, as the one set in the design at that moment, brings issues of compatibility with the monitors available in the market. This issue is impossible to detect with the initial verification using simulations, because during simulation, the baud rates were set to match the designed baud rate. Even thought the commercially available monitors allow you to set any given baud rate, when a non standard value was set, the communication failed, consistently showing framing and parity errors.

During the testing, the baud rate was set to a standard value of 115200 bauds. With this change, no communication problems were observed. This change in the baud rate is documented in the definition, architectural and design documents, because it implied a change in the value of the constant that is set in the CoreUART module.
I recommend to change this value to avoid complications with standard commercial monitors, that even though they offer to set the baud rate in an arbitrary value, the interface ends up being not as robust as it should when compared to the one using the standard ones. With the standard value set, no further problems were observed with the communication interface.

The modular design of the top level VHDL code allows setting any desired baud rate with minor impact on the design. It should be possible then to set this baud rate once the client has given the requirements on it.

The purpose of this test was to be able to complete the full design cycle, so that every aspect of the design is covered for the project. As a result of the hardware testing, the full functionality of the commands was proven. The same valid responses as seen during verification with test benches were seen with the hardware.

3.2.6 Process description

In the trade-off analysis, the required documents from ECSS-Q60 were analyzed, and the flow was described, as shown in Figure 16. To complete the overview on the development, an introduction of the design flow in Actel FPGA’s is done. In this document, the supporting documents that can be used were defined, together with all the documents presented in this project, if an update is needed on the design.

![Figure 16: FPGA development phases according to ECSS standard](image)

Now it is possible to make the requirements of ECSS-Q60 fit in the design cycle, using the document flow defined in the project. Using the already existing baseline of the documented listed in Figure 17 and taking into account the flow described in the process description document, it is possible to build on top of this to meet the specific requirements of the client for future missions.
4. Results

I performed several activities during this year, starting with documents that I produced, or updated, supporting the reaction wheel team in the documentation concerning BepiColombo, Sentinel 2 and Earth Care missions, and some test plans for the engineering qualification campaign that is currently taking place. After this first documentation phase, the main design performed was related to the FPGA present in the WDE and its functionality.

The result of my design on this topic consists of a functioning VHDL code for the RWU that, when compared with the previous running version of the code, has effectively replaced the MIL-BUS-1553 interface with an interface that can be directly connected to a RS-422 transceiver.

This running code also includes a new inhibition command and can be implemented in the new generation of Actel’s FPGAs for space, where it was also proven that an autonomous controller can be included as a future improvement. The code was verified with simulations and by hardware testing; it is designed in a modular way that assures that if an update is needed, it can be easily implemented.

In addition, the supporting documents that serve as the baseline for a full validation campaign are available and I produced a description on how the Actel design flow works. These documents cover from the definition of requirements to the verification plan. I did a reduced verification and a validation using evaluation hardware. This means that the only steps that were not covered correspond to the ones which require the final synthesis for the FPGA that is used for the RWU update.
5. Recommendations

New aspects to study come from the addition of a larger FPGA. With this large FPGA, the logic that is in the RWA, and that is used to generate the 4 phases for the motor can be moved to the FPGA, making the PCB’s of the RWA simpler, and getting rid of some sources of error that were observed during testing of the Over Speed Trip [OST] and wheel speed signals.

As recommendations for the development of VHDL code, it is central to produce test benches that can perform the full verification tests. For this, it’s important to change the current use of WaveFormerPro to test benches written in VHDL directly.

For the development of the autonomous controller, the use of Simulink to design the controller and the possibility to convert this design to VHDL using Matlab can lead to a reduction of design efforts.

6. Conclusion

All in all, the project as a whole gave me a complete overview of many of the design aspects regarding the electronics design for space, not only of VHDL code, but also of the hardware design that needs considerations that are not part of the normal design for commercial use, such as part stress analysis, worst case analysis and radiation analysis.

Due to the size of the company and the available resources of the reaction wheel team at the time the project took place, I was involved in the day to day issues of the team a large part of the project. Being able to be in this position gave me a unique gain over a normal DTI trainee, because I was fully immersed in the space industry, interacting with system engineers, quality representatives, and the client. This experience went beyond the technical tasks and I can say that a large amount of the learning was on communication skills and team work.
7. **Referenced Documents**

- [RD3] ECSS-Q60: Space Product Assurance: ASIC and FPGA Development

8. **Annex List**

- RWU Reliability Prediction
- RWU WDE Worst Case Analysis
- RWU RWA Worst Case Analysis
- RWU FMECA
- RWU Radiation Analysis
- Telemetry Update Trade off Analysis
- Telemetry Update Definition Requirements
- Telemetry Update Architectural Design
- Telemetry Update Verification Plan
- Telemetry Update Detailed Design Document
- Telemetry Update Reduced Verification Report
- Telemetry Update Hardware Evaluation
- Telemetry Update Process Description